CRA Cheat Sheet 2026

The 30 highest-yield CRA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

50 questions
90 min time limit
70.00% to pass
  1. What is the primary role of senior management in a business continuity program? To provide strategic direction, resources, and accountability for the BCP program
  2. Why is it important to assess both internal and external risks? It helps identify all possible risk sources
  3. What is the recommended review frequency for high-risk vendor relationships according to leading TPRM practices? At least annually, with more frequent reviews based on elevated risk or material changes
  4. What does supply chain resilience mean in an enterprise risk context? The capacity to maintain operations when key supply chain disruptions occur
  5. How does regulatory compliance impact risk management? Regulatory compliance helps mitigate legal risks and align with industry standards
  6. Which of the following is the PRIMARY purpose of establishing Key Risk Indicators (KRIs) as part of a risk control system? To provide an early warning that a risk is more likely to occur.
  7. Which of the following best describes 'fourth-party risk' in vendor risk management? Risk posed by the subcontractors or suppliers used by your direct vendors
  8. What is the role of stakeholders in the risk management process? Stakeholders provide insights and help prioritize risks
  9. What is the importance of analyzing the likelihood and impact of risks? It helps prioritize risk mitigation efforts
  10. What is the main goal of enterprise risk management (ERM)? To identify and manage risks to achieve business goals
  11. What is the significance of aligning risk management with business strategy? It ensures that risk management is integrated into business goals
  12. Why is training employees on compliance important? To ensure employees understand their roles and responsibilities
  13. How does an ERM framework contribute to strategic decision-making? It helps identify opportunities and threats, enabling better decision-making
  14. What is the primary purpose of a Business Impact Analysis (BIA)? To identify critical business functions and quantify the impact of their disruption
  15. Why is it important to continuously monitor risks? To identify new risks and evaluate mitigation strategies
  16. Which risk category is most directly associated with a critical vendor experiencing financial insolvency? Vendor exit and service continuity risk
  17. What is the primary challenge of unstructured data in risk management analytics? It is difficult to analyze using traditional risk modeling tools
  18. What is the primary purpose of a vendor scorecard in ongoing vendor relationship management? To continuously measure vendor performance against defined KPIs and risk metrics
  19. Why is communication important in the ERM process? It fosters transparency and collaboration in managing risks
  20. Which U.S. regulatory guidance specifically requires financial institutions to conduct comprehensive due diligence on critical third-party service providers? OCC Bulletin 2013-29 on Third-Party Relationships
  21. What does 'inherent risk' represent in a third-party risk assessment? The level of risk that exists before any controls or mitigations are in place
  22. What is 'model risk' in the context of risk management systems? The risk of loss resulting from inaccurate or misused quantitative models
  23. What is the primary purpose of a Risk Information System (RIS)? To centralize and manage risk data for reporting and analysis
  24. What is a key component of an ERM framework? Defining risk tolerance levels
  25. What is the primary purpose of regulatory compliance in risk management? To avoid fines and legal consequences
  26. How can you evaluate the effectiveness of a risk mitigation strategy? By tracking performance and making necessary adjustments
  27. What is cyber resilience in the context of business continuity management? The ability to continuously deliver intended outcomes despite cyber attacks or incidents
  28. What is a common method used to assess risks in an organization? Risk mapping and scenario analysis
  29. What is the significance of transparency in compliance? It promotes trust and accountability
  30. Which of the following items is typically included in a vendor due diligence questionnaire (DDQ)? Information on security controls, financial stability, and regulatory compliance posture
Turn these facts into recall: